httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject [Fwd: Re: cvs commit: httpd-2.0/docs/error/include top.html]
Date Sun, 25 Aug 2002 00:47:58 GMT
I should have copied this to docs@...

-------- Original Message --------
Subject: Re: cvs commit: httpd-2.0/docs/error/include top.html
Date: Sat, 24 Aug 2002 20:03:44 -0400
From: Joshua Slive <joshua@slive.ca>
Reply-To: dev@httpd.apache.org
To: dev@httpd.apache.org
References: <20020824222516.15369.qmail@icarus.apache.org>

erikabele@apache.org wrote:
 > erikabele    2002/08/24 15:25:16
 >
 >   Modified:    docs/error HTTP_BAD_GATEWAY.html.var
 >                         HTTP_INTERNAL_SERVER_ERROR.html.var
 >                docs/error/include top.html
 >   Log:
 >   Added encoding="none" for the ssi-output of REDIRECT_ERROR_NOTES.
 >   This fixes the output of HTML-tags through the above env-var (e.g.
 >   <p> instead of &lt;p&gt;).

Hmmm... We need a security-review of this change.  Is it possible in any
way for the client to insert something into REDIRECT_ERROR_NOTES?  If
so, this change must be reversed, because it opens a
Cross-site-scripting vulnerability.

I don't know the answer, but we need to be careful here.

Where are the <p> tags coming from, anyway?  I thought ERROR_NOTES was
plain text.

Joshua.



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message